You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I understand JFrog uses libs that use Apache java libs. There is a security issue reported against Log4j.
Does jfrog lib has direct/indirect dependency on log4j?
Does a jfrog lib package end up carrying a flavor of log4j that is vulnerable?
Thanks
The text was updated successfully, but these errors were encountered:
@videoguy
The Artifactory Java client 1.10.0 and above contains no vulnerable dependencies, direct or transitive.
This library uses slf4j-api:1.7.32, log4j-over-slf4j:1.7.32, and jcl-over-slf4j:1.7.32 , which are not reported as vulnerable.
We have a tool that we built leveraging jfrog lib. I was asked this question about Log4J as it is java based tool. It is good to know that you have solid post build scan process to look for these issues and stop in early stages.
I need to check if we are using 1.10.0 or later version of jfrog.
Just curious, How is the log4j-over-slf4j is different from Apache Log4j?
I understand JFrog uses libs that use Apache java libs. There is a security issue reported against Log4j.
Does jfrog lib has direct/indirect dependency on log4j?
Does a jfrog lib package end up carrying a flavor of log4j that is vulnerable?
Thanks
The text was updated successfully, but these errors were encountered: